Here's everything that's wrong with America's insecure electronic voting machines, and what to do about it

From the Boing Boing Shop

Follow Us

The University of Pennsylvania's Matt Blaze (previously) is a legendary figure in cryptography and security circles; most recently he convened Defcon's Vote Hacking Village where security experts with no particular knowledge of voting machines repeatedly, fatally hacked surplus voting machines of the sort routinely used in US elections.

Last month, Blaze made a statement to the House of Representatives' Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on Intergovernmental Affairs Hearing on Cybersecurity, in which he comprehensively laid out the problems with today's voting technology and how this state of affairs came to be, and what the US must do, urgently, to correct a terrifying vulnerability in a foundational democratic process.

In particular, Blaze points out that the threat model for voting machines is a dirty candidate who tries to tip the scales in their favor; but that in the real-world, nation-states attack each other by discrediting the results of elections, by sowing enough doubt about the accuracy of the vote count to delegitimize the winner.

Blaze makes three principal recommendation: first, adopt precinct-counted optical scan ballots, which can be machine-tabulated but can be recounted by hand if the software is suspect or corrupt; second, conduct random "risk limiting audits" at every election to spot systemic problems as they emerge and to deny adversaries the opportunity to use small elections as testbeds for larger, more ambitious attacks; and finally, to increase the funding and resources to train local election officials "to help them more effectively defend their systems against increasingly sophisticated adversaries."

Electronic voting systems
must resist not only fraud from corrupt
candidates and supporters, but also election
disruption
from hostile nation-state adversaries. This is a much more formidable threat, and one that
current systems, especially those using DRE technology, are even less
equipped to resist.

The most obvious difference between traditional fraud from corrupt
candidates and disruption by hostile state actors is the expected resources
and capabilities available to the attacker. The intelligence services of even
relatively
small nations can marshal
far greater financial, technical, and
operational resources than even the most sophisticated corrupt domestic
criminal attacker. For example, intelligence services can be expected to
conduct espionage operations against the voting
system
supply chain. In
such operations, the aim might be to obtain confidential source code or to
secure surreptitious access to equipment before it is even shipped to county
officials. Hostile intelligence services can exploit information and other
assets developed broadly over extended periods of time, often starting well
before any specific operation or attack has been planned.

At Defcon, Tencent's Wu HuiYu and Qian Wenxiang presented Breaking Smart Speakers: We are Listening to You, detailing their work in successfully exploiting an Amazon Alexa speaker, albeit in a very difficult-to-achieve fashion.

Josh Mitchell's Defcon presentation analyzes the security of five popular brands of police bodycams (Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc) and reveals that they are universally terrible, though the Digital Ally models are the least bad of the batch, as Wired's Lily Hay Newman reports.

Adam Guerbuez is a cryptocurrency evangelist whose Youtube channel is full of videos promoting cryptocurrency trading; when he got a Twitter message from a scammer promising to send him free Ethereum coins, he asked the scammer if they could talk about the scam.

Traveling isn’t always the most comfortable experience, but at least you have your music to keep you company on those long flights. That is, until your chatty neighbor and that crying baby three seats over drown out your playlist. These Paww WaveSound 3 Noise-Cancelling Bluetooth Headphones block up to 20 decibels of audio, so you can […]

SEO can be a fickle creature, but it can work in your favor—you just need the right tools. When it comes to getting your site on that coveted first page of Google, SERPstash Premium simplifies the process with 21 user-friendly tools designed to break down your page’s performance and show you where you can improve. Lifetime […]

Running a Shopify store is a great way to net some extra cash on the side or—if you really know what you’re doing—replace your 9-to-5 altogether. However, success doesn’t come naturally, and newcomers tend to receive mixed results when starting on their own. This E-Commerce Bootcamp can help start your Shopify venture off on the right […]